V8.13.294.2025.10.28

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.archive/.0000_lib_usage.sh

@@ -21,7 +21,7 @@ usage() {
   clear
   cat << EOF
 $(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.292.2025.10.27\e[0m")
+$(echo -e "\e[92mMaster V8.13.294.2025.10.28\e[0m")
 $(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
 
 $(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")

.archive/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.292.2025.10.27"
+      placeholder: "e.g., Master V8.13.294.2025.10.28"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.290.2025.10.26
+  version: V8.13.294.2025.10.28
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.292.2025.10.27
+  version: V8.13.294.2025.10.28
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.290.2025.10.26
+  version: V8.13.294.2025.10.28
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.292.2025.10.27
+  version: V8.13.294.2025.10.28
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -244,6 +244,7 @@ jobs:
             --root-password-file /opt/config/password.txt \
             --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
             --ssh-pubkey /opt/config \
+            --sshfp \
             --trixie
 
           REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 name: 🔁 Render Graphviz Diagrams.
 

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.292.2025.10.27"
+properties_version="V8.13.294.2025.10.28"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.292.2025.10.27
+PackageVersion: Master V8.13.294.2025.10.28
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.292.2025.10.27-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.294.2025.10.28-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -26,7 +26,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +151,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.292.2025.10.27`
+Example: `V8.13.294.2025.10.28`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 

REPOSITORY.md

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2.1. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.292.2025.10.27** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.294.2025.10.28** (as of 2025-10-11)
 
 ## 2.2. Top-Level Layout
 

config/hooks/live/0001_initramfs_modules.chroot

@@ -224,7 +224,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # If set to all update-initramfs will update all initramfs
 # If set to no disables any update to initramfs besides kernel upgrade
 
-update_initramfs=yes
+update_initramfs=all
 
 #
 # backup_initramfs [ yes | no ]
@@ -303,7 +303,7 @@ COMPRESS=zstd
 # 1-9 for gzip|bzip2|lzma|lzop
 # 0-9 for  lz4|xz
 # 0-19 for zstd
-# COMPRESSLEVEL=3
+COMPRESSLEVEL=10
 
 #
 # DEVICE: ...
@@ -355,24 +355,95 @@ cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
 
 set -e
 
+printf "\e[95mStarting: [0001_initramfs_modules.chroot] \n\e[0m"
+
 PREREQ=""
-prereqs() { echo "$PREREQ"; }
+prereqs() { echo "${PREREQ}"; }
-case $1 in
+# shellcheck disable=SC2249
+case "${1}" in
   prereqs) prereqs; exit 0 ;;
 esac
 
 . /usr/share/initramfs-tools/hook-functions
 
-mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"
 
-# Include Bash
+### Ensure directory structure in initramfs
-copy_exec /usr/bin/bash /usr/bin
+mkdir -p "${DESTDIR}/usr/bin"
+mkdir -p "${DESTDIR}/etc/keys"
+mkdir -p "${DESTDIR}/usr/local/bin"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+mkdir -p "${DESTDIR}/usr/sbin"
 
-# Include lsblk (block device information tool)
-copy_exec /usr/bin/lsblk /usr/bin
 
-# Include udevadm (udev management tool)
+### Include bash
-copy_exec /usr/bin/udevadm /usr/bin
+copy_exec /usr/bin/bash /usr/bin/bash
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"
+
+
+### Include blkid
+copy_exec /usr/sbin/blkid /usr/sbin/blkid
+printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"
+
+
+### Include busybox
+copy_exec /usr/bin/busybox /usr/busybox
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
+
+
+### Include GNU coreutils 'sort' (has -V)
+copy_exec /usr/bin/sort /usr/bin/sort
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
+
+
+### Include gpgv
+copy_exec /usr/bin/gpgv /usr/bin/gpgv
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
+
+
+### Include lsblk
+copy_exec /usr/bin/lsblk /usr/bin/lsblk
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"
+
+
+### Include mkpasswd
+copy_exec /usr/bin/mkpasswd /usr/mkpasswd
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
+copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
+
+
+### Include udevadm (udev management tool)
+copy_exec /usr/bin/udevadm /usr/bin/udevadm
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"
+
+
+### Include sha384sum, sha512sum
+copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
+copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"
+
+
+### Include tree
+copy_exec /usr/bin/tree /usr/bin/tree
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"
+
+
+### Include whois
+copy_exec /usr/bin/whois /usr/bin/whois
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"
+
+
+### Link busybox applets for compatibility
+for dir in bin usr/bin; do
+  ln -sf busybox "${DESTDIR}/${dir}/cat"
+  ln -sf busybox "${DESTDIR}/${dir}/sleep"
+done
+
+printf "\e[92mSuccessfully executed: [0001_initramfs_modules.chroot] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
 
 chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder

config/hooks/live/0007_update_logrotate.chroot

@@ -24,10 +24,10 @@ cat << EOF >| "/etc/logrotate.conf"
 daily
 
 # Keep 384 daily worth of backlogs.
-rotate 384
+rotate 90
 
 # Hard cap: delete rotated logs older than 384 days.
-maxage 384
+maxage 90
 
 # Do not rotate the log if it is empty (this overrides the ifempty option).
 notifempty

config/hooks/live/9998_sources_list_trixie.chroot

@@ -126,7 +126,7 @@ fi
 
 apt-get update -qq
 apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacements/removals.
-apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'; don't run both.
+apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

config/hooks/live/9999_yyyy_logrotate.chroot

@@ -37,13 +37,17 @@ declare     var_file="" var_log=""
 export DEBIAN_FRONTEND="noninteractive"
 
 for var_log in "${ary_logrotate[@]}"; do
+
   var_file="/etc/logrotate.d/${var_log}"
+
   [[ -e "${var_file}" ]] || continue
+
   ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
   sed -E -i \
     -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
-    -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 384\3\4/' \
+    -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 90\3\4/' \
     "${var_file}"
+
 done
 
 if ! logrotate -d /etc/logrotate.conf; then

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.292.2025.10.27
+# Version Master V8.13.294.2025.10.28
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.292.2025.10.27"
+declare -gr VERSION="Master V8.13.294.2025.10.28"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.292.2025.10.27 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.294.2025.10.28 at: 10:18:37.9542

docs/AUDIT_DNSSEC.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. DNSSEC Status
 

docs/AUDIT_HAVEGED.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Haveged Audit on Netcup RS 2000 G11
 

docs/AUDIT_LYNIS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Lynis Audit:
 

docs/AUDIT_SSH.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. SSH Audit by ssh-audit.com
 

docs/AUDIT_TLS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. TLS Audit:
 ````text

docs/BOOTPARAMS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Hardened Kernel Boot Parameters
 

docs/CHANGELOG.md

@@ -8,10 +8,18 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Changelog
 
+## V8.13.294.2025.10.28
+* **Added**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) + mksquashfs-excludes
+* **Updated**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + --sshfp
+* **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
+* **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90
+* **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90
+* **Updated**: [9999-cdi-starter](../scripts/9999-cdi-starter) = unified logging
+
 ## V8.13.292.2025.10.27
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel()
 

docs/CNET.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Centurion Net - Developer Branch Overview
 

docs/CODING_CONVENTION.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Coding Style
 

docs/CONTRIBUTING.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Contributing / participating
 

docs/CREDITS.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Credits
 

docs/DL_PUB_ISO.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
 

docs/DOCUMENTATION.md

@@ -8,12 +8,12 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2.1. Usage
 ````text
 CISS.debian.live.builder
-Master V8.13.292.2025.10.27
+Master V8.13.294.2025.10.28
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025
@@ -136,7 +136,7 @@ A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Ima
 # 2.2. Contact
 ````text
 CISS.debian.live.builder
-Master V8.13.292.2025.10.27
+Master V8.13.294.2025.10.28
 A lightweight Shell Wrapper for building a hardened Debian Bookworm Live ISO Image.
 
 (c) Marc S. Weidner, 2018 - 2025

docs/REFERENCES.md

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.292.2025.10.27<br>
+**Build**: V8.13.294.2025.10.28<br>
 
 # 2. Resources
 

lib/lib_lb_config_write_trixie.sh

@@ -107,11 +107,34 @@ lb_config_write_trixie() {
   sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
   sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
 
-  mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot"
   cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
   chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
   chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
 
+  ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
+  ### https://reproducible-builds.org/docs/system-images/
+  ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
+  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
+boot/initrd.img-*
+boot/vmlinux-*
+boot/vmlinuz-*
+debootstrap
+debootstrap/*
+root/.wget-hsts
+tmp/*
+usr/lib/firmware/amd/*
+usr/lib/firmware/amd-ucode/*
+usr/lib/firmware/amdtee/*
+usr/lib/firmware/intel-ucode/*
+var/cache/apt/pkgcache.bin
+var/cache/apt/srcpkgcache.bin
+var/lib/apt/lists/*
+var/lib/initramfs-tools/*-amd64
+EOF
+  chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
+
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
 
   return 0

lib/lib_usage.sh

@@ -35,13 +35,13 @@ usage() {
   # shellcheck disable=SC2155
   declare var_header=$(center "CLB(1)                        CISS.debian.live.builder                        CLB(1)" "${var_cols}")
   # shellcheck disable=SC2155
-  declare var_footer=$(center "V8.13.292.2025.10.27                        2025-10-07                        CLB(1)" "${var_cols}")
+  declare var_footer=$(center "V8.13.294.2025.10.28                        2025-10-07                        CLB(1)" "${var_cols}")
 
   {
     echo -e "\e[1;97m${var_header}\e[0m"
     echo
     echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V8.13.292.2025.10.27\e[0m"
+    echo -e "\e[92mMaster V8.13.294.2025.10.28\e[0m"
     echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
     echo
     echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"

scripts/9999-cdi-starter

@@ -15,7 +15,7 @@ set -Ceuo pipefail
 umask 0077
 
 declare -grx  VAR_SEMAPHORE="/root/cdi.ciss" # Semaphore to appear.
-declare -girx VAR_TIMEOUT=60                 # Semaphore timer in seconds.
+declare -girx VAR_TIMEOUT=3600               # Semaphore timer in seconds.
 
 install -d -m 0755 /run/lock
 exec 9> /run/lock/9999-cdi-starter.lock
@@ -116,37 +116,37 @@ main() {
   declare -r var_repo_url="https://git.coresecret.dev/msw/CISS.debian.installer.git"
   declare -r var_repo_dir="/root/git/CISS.debian.installer"
   declare -i i=""
-  declare    var_mode=""
+  declare    var_log="" var_mode=""
+
+  var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
+
+  ### Prepare logging.
+  install -d -m 0700 /root/.ciss/cdi/log
+  # shellcheck disable=SC2312
+  exec > >(tee -a "${var_log}") 2>&1
+
+  printf "CISS.debian.installer Master V8.13.294.2025.10.28 is up! \n" >> "${var_log}"
 
   ### Sleep a moment to settle boot artifacts.
   sleep 8
 
   ### Harden Kernel parameters.
   sysp
-
+  printf "Command: [sysp] executed.\n" >> "${var_log}"
-  ### Prepare logging.
-  install -d -m 0700 /root/.ciss/cdi/log
-  # shellcheck disable=SC2155
-  declare -r log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +'%F_%H-%M-%S').log"
-  # shellcheck disable=SC2312
-  exec > >(tee -a "${log}") 2>&1
-
-  printf "CISS.debian.installer Master V8.13.292.2025.10.27 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log
 
   ### Wait for network connectivity.
   net_wait
+  printf "Command: [net_wait] executed.\n" >> "${var_log}"
 
   ### Download CISS.debian.installer.
   cd /root/git
-
   [[ -d "${var_repo_dir}" ]] && rm -rf "${var_repo_dir}"
-
   git clone "${var_repo_url}" "${var_repo_dir}"
-
   chmod 0700 "${var_repo_dir}/ciss_debian_installer.sh"
-
   cd "${var_repo_dir}"
 
+  printf "Command: [git clone %s %s] executed.\n" "${var_repo_url}" "${var_repo_dir}" >> "${var_log}"
+
   ### Poll up to VAR_TIMEOUT seconds for the semaphore to appear and be mode 0600.
   for ((i=0; i<VAR_TIMEOUT; i++)); do
 
@@ -157,6 +157,7 @@ main() {
       if [[ "${var_mode}" == "600" ]]; then
 
         logger -t cdi-watcher "Semaphore found (${VAR_SEMAPHORE}, mode 0600) after ${i}s -> invoking cdi()"
+        printf "Command: [cdi] to be executed.\n" >> "${var_log}"
 
         cdi
         ### cdi() never returns (it exits the script), so no code below this point in the 'then'-block will run.
@@ -164,6 +165,7 @@ main() {
       else
 
         logger -t cdi-watcher "Semaphore ${VAR_SEMAPHORE} present but wrong mode ${var_mode} (expected 600); ignoring"
+        printf "INFO: [Semaphore %s present but wrong mode %s (expected 600); ignoring] executed.\n" "${VAR_SEMAPHORE}}" "${var_mode}}" >> "${var_log}"
 
       fi
 
@@ -175,7 +177,7 @@ main() {
 
   ### Timeout reached without acceptable semaphore.
   logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V8.13.292.2025.10.27: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log
+  printf "CISS.debian.installer Master V8.13.294.2025.10.28: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
 
   exit 0
 }

var/early.var.sh

@@ -14,7 +14,7 @@
 
 # shellcheck disable=SC2155
 declare -grx VAR_CONTACT="security@coresecret.eu"
-declare -grx VAR_VERSION="Master V8.13.292.2025.10.27"
+declare -grx VAR_VERSION="Master V8.13.294.2025.10.28"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
 declare -gx  VAR_EARLY_DEBUG="false"
 declare -gx  VAR_HANDLER_AUTOBUILD="false"